I have a search to find total ingest into splunk, which i can run for a day or against a longer period by using the time picker. If you run it against a 24 hour period it tells you how much raw data has been ingested into splunk in 24 hours. It works well. Management have asked to find what was the largest single day ingest in a 90 day period.
How would i go about editing my search to display this?
The base search is:
index=* OR index=_*
| fields sourcetype, _raw
|eval size=len(_raw)
|stats sum (size) as size
| eval size=round(size/1024/1024,2)
I tried editing it to this and it seems to work but i'm not sure ther esult i'm seeing is what i hope it is haha
index=* OR index=_*
| fields sourcetype, _raw
| eval size=len(_raw)
| stats sum (size) as size
| eval size=round(size/1024/1024,2)
| bucket _time span=1d
| stats max(size) as MaxSingleDayIngest
Can someone give me a sanity check please? I feel like the result i'm getting is too large to be correct. :)
Cheers!
↧